b'       U.S. House of Representatives\n        Committee on Ways and Means\n        Subcommittee on Social Security\n\n\n\n\n            Statement for the Record\n\n   Hearing on Social Security\xe2\x80\x99s Death Records\n\n\n    The Honorable Patrick P. O\xe2\x80\x99Carroll, Jr.\nInspector General, Social Security Administration\n\n                February 2, 2012\n\x0cGood morning, Chairman Johnson, Ranking Member Becerra, and members of the Subcommittee. It is a\npleasure to appear before you, and I thank you for the invitation to testify today. I have appeared before\nCongress many times to discuss issues critical to the Social Security Administration (SSA) and the services\nthe Agency provides to American citizens; I appeared before the Subcommittee last week to discuss SSA\xe2\x80\x99s\nDisability Insurance program. Today, we are discussing SSA\xe2\x80\x99s Death Master File (DMF) and the Agency\xe2\x80\x99s\nprocess for distributing death records.\n\nSSA has, on the Numident\xe2\x80\x94the Agency\xe2\x80\x99s master database of Social Security number (SSN) holders\xe2\x80\x94a\nrecord of reported deaths. Because of a 1978 Freedom of Information Act (FOIA) lawsuit\xe2\x80\x94Perholtz vs.\nRoss\xe2\x80\x94SSA in 1980 was required to make available to the public death records that included the SSN, the\nlast name, and the date of death of deceased number holders; the result was the creation of the DMF, an\nextract of Numident data. Each DMF record usually includes the following: SSN, full name, date of birth,\nand date of death. The file contains about 85 million records, and it adds about 1.3 million records each\nyear. SSA receives death information from many sources, including family members, funeral homes, and\nsome (but not all) States. SSA does not have a death record for all deceased individuals, thus SSA does not\nguarantee the file\xe2\x80\x99s veracity. A person\xe2\x80\x99s absence from the file does not guarantee the person is alive.\n\nSSA provides the DMF to the Department of Commerce\xe2\x80\x99s National Technical Information Service (NTIS),\na cost-recovery agency, which, in turn, sells DMF data to public and private industries\xe2\x80\x94government,\nfinancial, investigative, credit reporting, and medical customers. Those customers use the data to verify\ndeath and to prevent fraud, among other uses. The DMF thus contains more information than required by\nthe Perholtz ruling. 1\n\nThe public distribution of SSA\xe2\x80\x99s death records and personally identifiable information (PII) raises concerns\nrelated to SSN misuse and identity theft. Your Subcommittee has discussed ways to improve SSN\nprotection with SSA and the Office of the Inspector General (OIG) before, but with SSN use widespread\nthroughout government programs and financial transactions, and technology constantly evolving, the threat\nof SSN misuse and identity theft persists. We in the OIG are well aware of the central role the SSN plays in\nAmerican society, and part of our mission is to protect its integrity. Therefore, while limiting or\ndiscontinuing the DMF\xe2\x80\x99s availability is ultimately a legislative and policy decision for the Congress and\nSSA to make, the OIG has long taken the position that to the extent possible, public access to the DMF\nshould be limited to that required by law, and that all possible steps should be taken to ensure its accuracy.\nWe have made numerous recommendations to this effect.\n\nThe Congress has recognized the importance of this issue, as current bills for consideration address access\nto the DMF. Chairman Johnson and several members of your Subcommittee in November 2011 introduced\nthe Keeping IDs Safe Act, which would end the sale of the DMF. While some government and law\nenforcement agencies would still have access to the file to combat fraud, the bill would help protect the\ndeath data of all number holders.\n\n1\n In November 2011, SSA made a change to DMF records it provides to NTIS. The Social Security Act\nprohibits SSA from disclosing State death records the Agency receives through its contracts with the States,\nexcept in limited circumstances. SSA thus removed about 4.2 million State death records from the DMF.\nSSA currently distributes Numident data under agreements with eight government agencies, including the\nCenters for Medicare & Medicaid Services and the Internal Revenue Service.\n\n\n                                                      1\n\x0cAnother House bill, introduced in October 2011 to prevent identity theft and tax fraud, calls for the\nCommerce Department to develop a certification program for individuals to complete before accessing the\nDMF. According to the proposal, any certified person who disclosed DMF data to another individual, or\nany certified person who misused the data, would be fined $1,000 for each illegal disclosure or use.\n\nThe DMF data has important and productive uses. Medical researchers and hospitals track former patients\nfor their studies; investigative firms use the data to verify deaths related to investigations; and pension\nfunds, insurance organizations, and Federal, State, and local governments need to know if they are sending\npayments to deceased individuals. The financial community and State and local governments can identify\nand prevent identity theft by running financial and credit applications against the DMF. However, in the\nform in which the DMF is currently distributed, methods exist for individuals to misuse SSNs and commit\nidentity theft. We have made recommendations to SSA that would improve the protection of PII available\nin the DMF through both decreased inclusion of data and increased accuracy; SSA has agreed with some of\nour recommendations and disagreed with others.\n\nOur March 2011 report, Follow-up: Personally Identifiable Information Made Available to the Public via\nthe Death Master File, examined whether SSA took corrective actions to address recommendations we\nmade in a June 2008 report on the DMF. In the June 2008 report, we determined that, from January 2004\nthrough April 2007, SSA\xe2\x80\x99s publication of the DMF resulted in the potential exposure of PII for more than\n20,000 living individuals erroneously listed as deceased on the DMF. In some cases, these individuals\xe2\x80\x99 PII\nwas still available for free viewing on the Internet\xe2\x80\x94on ancestry sites like genealogy.com and\nfamilysearch.org\xe2\x80\x94at the time of our report.\n\nIn June 2008, we recommended that SSA:\n\n   1. Work with the Commerce Department to implement a risk-based approach for distributing DMF\n      information, such as implementing a several-month delay in the release of DMF updates, so that\n      SSA could correct erroneous death entries;\n   2. Limit the amount of information included on the DMF to the absolute minimum required, and\n      explore alternatives to the inclusion of an individual\xe2\x80\x99s full SSN;\n   3. Initiate required breach notification procedures upon learning that the Agency mistakenly included\n      living individuals\xe2\x80\x99 PII in the DMF; and\n   4. Provide appropriate notification to living individuals whose PII was released in error.\nIn our March 2011 report, we found that SSA had taken actions on recommendations 3 and 4. SSA\nimplemented procedures to report erroneous death entry-related PII breaches to the Department of\nHomeland Security\xe2\x80\x99s U.S. Computer Emergency Readiness Team each week. The Agency also hired a\ncontractor to provide ongoing reviews of DMF exposure related to thousands of individuals whose PII was\ninadvertently exposed from July 2006 through January 2009. The contractor evaluated available data for\npatterns that could identify organized misuse, and according to SSA, as of March 2011, the contractor\nidentified no PII misuse. Thus, SSA did not provide breach notifications to any individual number holders.\nWe recommended that SSA notify all individuals whose PII was exposed, regardless of the detection of PII\nmisuse.\n\n\n                                                     2\n\x0cSSA did not take actions on recommendations 1 and 2. SSA did not implement a delay in the release of\nDMF updates, as the Agency indicated that public and private organizations rely on the DMF to combat\nfraud and identity theft. To be effective, those organizations must have immediate and up-to-date\ninformation, SSA said. The Agency also did not attempt to limit the amount of information included on the\nDMF, and it did not explore alternatives to the inclusion of an individual\xe2\x80\x99s full SSN, citing the Perholtz\nconsent judgment and potential litigation under FOIA. SSA added that a deceased individual does not have\na privacy interest, according to FOIA.\nOur March 2011 follow-up review revealed that in addition to the recommendations with which SSA did\nnot agree, several issues remained:\n   \xef\x83\x98 SSA continued to, inadvertently, expose the PII of thousands of living individuals each year,\n     because the Agency released death information without a short delay to identify and correct most\n     death-report errors.\n   \xef\x83\x98 SSA\xe2\x80\x99s efforts to delete erroneous death entries from the DMF did not completely mitigate the\n     exposure of living individuals\xe2\x80\x99 PII. At the time of the report, we searched several ancestry\n     Websites, like familysearch.org, and there were instances in which living individuals\xe2\x80\x99 PII remained\n     accessible. This likely occurred because the Website was not timely processing DMF updates.\n   \xef\x83\x98 SSA continued to disclose far more detailed PII in the DMF (including first name, middle name,\n     and date of birth) than required under the original Perholtz consent judgment. We continue to\n     believe that reducing the amount of detailed PII included in the DMF would allow the continued\n     legitimate use of valid death information, while at the same time limiting the inadvertent PII\n     exposure of living individuals.\nAccording to SSA, there are about 1,000 cases each month in which a living individual is mistakenly\nincluded in the DMF. SSA said that when the Agency becomes aware it has posted a death report in error,\nSSA moves quickly to correct the situation, and the Agency has not found evidence of past data misuse.\nHowever, we remain concerned about these errors, because erroneous death entries can lead to benefit\ntermination and cause severe financial hardship and distress to affected individuals. We also have concerns\nthat DMF update files, some with active SSNs, are a potential source of information that would be useful in\nperpetrating SSN misuse and identity theft, including the theft of child identities. DMF updates can reveal\nto potential criminals the PII of individuals who are still alive.\nWe have several other ongoing reports related to DMF data:\n   \xef\x83\x98 In Title II Deceased Beneficiaries Who Do Not Have Death Information on the Numident, we have\n     identified about 1.2 million Title II beneficiaries who have a date of death on the Master\n     Beneficiary Record (MBR), but they do not have death information on SSA\xe2\x80\x99s Numident. SSA uses\n     death information from the Numident to create the DMF. If a person knew an individual was\n     deceased and that the death record was not on the Numident, the person could use the deceased\xe2\x80\x99s\n     information to fraudulently file for benefits or credit.\n   \xef\x83\x98 In Deceased Beneficiaries Who Have Different Dates of Death on the SSA\xe2\x80\x99s Numident and Payment\n     Records, we identified about 11,000 deceased beneficiaries who have a date of death on the\n     Numident that differs by at least one month from the date of death on the MBR or Supplemental\n     Security Income Record (SSR). We also identified 39 cases in which the date discrepancies resulted\n     in potential improper payments of more than $72,000.\n\n                                                     3\n\x0c   \xef\x83\x98 In Using Medicare Claim Data to Identify Deceased Beneficiaries, we will match SSA beneficiary\n     records with CMS databases containing Medicare non-utilization information to determine if the\n     beneficiaries are alive.\nWe in the OIG also remain concerned with the overall accuracy of SSA\xe2\x80\x99s death data. SSA receives about\n2.5 million death reports each year from many sources, including family members and funeral homes. In\naddition, to identify improper payments to deceased beneficiaries, SSA has computer matches of death\ninformation from other Federal Agencies, such as the Department of Veteran Affairs. However, before SSA\ncan terminate benefits based on a computer match, it must verify the accuracy of the death information.\nSSA has worked with the National Association for Public Health Statistics and Information Systems to\ndevelop standards and guidelines for a nationwide system of electronic death registration (EDR), and\nCongress authorized the Department of Health and Human Services to provide grants to help States set up\ntheir systems. Under EDR, SSA verifies the decedent\xe2\x80\x99s name and SSN with the State at the beginning of\nthe death registration process, thereby allowing SSA to take immediate action to terminate benefits without\nneeding to verify the accuracy of the death report. Currently 32 States, the District of Columbia, and New\nYork City have implemented EDR. SSA expects to work with eight additional States that plan to\nimplement EDR over the next two years.\nWe have conducted several audits in recent years related to the accuracy of DMF data:\n   \xef\x83\x98 In a September 2011 report, we found that SSA paid $644,000 in monthly survivor benefits to\n     family members of 642 living (but mistakenly listed on the DMF) wage earners, even though the\n     Agency had deleted the wage earners\xe2\x80\x99 death entries from the DMF, and SSA\xe2\x80\x99s Numident file\n     indicated the wage earners were still alive.\n   \xef\x83\x98 An April 2011 report found SSA needed to improve controls to ensure it takes timely and proper\n     actions to resolve death information on the Numident for suspended Title II beneficiaries.\n   \xef\x83\x98 We found that SSA issued payments to deceased beneficiaries after recording valid dates of death\n     on the beneficiaries\xe2\x80\x99 Numident record in June 2009.\n   \xef\x83\x98 In February 2009, we found that about 98 percent of erroneous death entries on the DMF were\n     death reports from non-State sources. Therefore, even if all States were to submit death reports via\n     EDR, there could still be some erroneous death entries on the DMF. We also found that some death-\n     reporting errors occurred for EDR States.\nIn conclusion, the OIG has conducted, and continues to conduct, significant audit work to identify methods\nSSA could implement to protect PII and death data and to improve the accuracy of its death reporting.\nWhile we encourage efforts to limit public access to this data through legislative or policy changes (such as\nthe Keeping IDs Safe Act), barring such changes, SSA should implement a risk-based approach for\ndistributing DMF information, and the Agency should attempt to limit the amount of information included\non the DMF. These actions would protect PII and potentially limit the misuse and abuse of SSNs and\nidentity theft.\nWe will continue to provide information to SSA\xe2\x80\x99s decision-makers and to your Subcommittee, and we look\nforward to assisting in this effort and future efforts. Thank you again for the invitation to be here today. I\nwould be happy to answer any questions.\n\n\n                                                      4\n\x0c'